Atomicwork achieves CASA Tier 3 validation for its Google Drive integration

We're excited to share that Atomicwork's Google Drive integration has cleared CASA Tier 3, the most rigorous level of the Cloud Application Security Assessment. The Letter of Validation (LOV) from TAC Security, an authorized App Defense Alliance lab, marks the official close of this assessment, after our Google integration was put through independent, hands-on security testing.

CASA Tier 3 means an outside lab examined how the application actually handles the data it touches and verified it against an established security standard, rather than us self-reporting. For a ITSM & ESM service management platform that connects to the tools your employees rely on every day, the highest tier is the one worth clearing.

What is CASA Tier 3?

The Cloud Application Security Assessment (CASA) is a security validation framework developed by the App Defense Alliance, an industry group founded by Google. It's built on the OWASP Application Security Verification Standard (ASVS), the same benchmark security teams use to test web and API security, so the controls being checked aren't an arbitrary checklist.

Any application that requests access to restricted Google scopes, like the Drive or Gmail APIs, has to pass a CASA assessment and revalidate every year. CASA uses three assurance tiers. The requirements are the same across all three; what changes is how the assessment is carried out:

• Tier 1 — developer self-assessment, for the lowest-risk applications.
• Tier 2 — a deeper review with automated scanning and verification.
• Tier 3 — the highest assurance level, verified hands-on by an independent, authorized lab rather than self-attested. Once an application is validated at Tier 3, it stays at Tier 3 for every annual revalidation that follows.

Tier 3 is reserved for applications with higher-risk data access. Passing it means an outside lab tested the integration directly and confirmed it meets the standard, then issued a Letter of Validation to Google. That's the level our Google Drive integration was assessed at.

What our Google Drive integration was assessed on

The assessment, conducted independently by TAC Security, examined the integration across the ASVS control categories. The areas under scrutiny included:

• Authentication and session management — how identities are verified and sessions are handled.
• Access control — whether the integration requests and uses Google Drive scopes correctly, with no over-reach.
• Data protection — how data is encrypted in transit and at rest as it moves between systems.
• Input validation and error handling — how the application processes untrusted input and fails safely.
• Logging and configuration — whether security-relevant events are captured and the environment is hardened.

With the testing complete and the controls verified, TAC Security issued the Letter of Validation that formally closes the assessment and is reported to Google.

What this means for our customers

For the CIOs and IT teams who run Atomicwork, this is third-party confirmation that the Google Drive integration meets the highest tier of Google's security bar. Specifically, you can count on:

1. Independently tested data access. An authorized lab, not Atomicwork, verified how the integration handles your Google Drive data.
2. Scoped, least-privilege access. The integration was checked to confirm it requests only the Google permissions it needs to do its job.
3. Annual revalidation. CASA isn't one-and-done. The integration is re-assessed every year, so the validation stays current rather than going stale after launch.

How this builds on our existing security posture

Atomicwork is a AI-driven ITSM& ESM platform for the human and AI workforce, which means our AIcoworkers act inside the same systems that hold sensitive company data. That design only works if the integrations underneath it are secure, which is why we put them through independent validation rather than taking our own word for it. Everything we hold is documented in our TrustCenter.

CASA Tier 3sits alongside the rest of our compliance posture: SOC 2 Type I & II, ISO27001/27017/27018/27701, the recently earned ISO/IEC42001:2023 certification for responsible AI management, plus GDPR, CCPA,HIPAA, and CSA STAR Level 1. Each one covers a different surface; together they reflect how we think about building a secure platform.

We'll keep validating our integrations as we add them, so you can connect Atomicwork to your stack without trading away security to do it. Talk to us if you'd like to go deeper on how we embed trust and compliance into the platform.